Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1019967?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1019967?format=api", "purl": "pkg:npm/%40saltcorn/data@0.7.1-beta.1", "type": "npm", "namespace": "@saltcorn", "name": "data", "version": "0.7.1-beta.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.4.5", "latest_non_vulnerable_version": "1.6.0-beta.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89842?format=api", "vulnerability_id": "VCID-pfz1-y9nf-7fd7", "summary": "@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler\n## Summary\n\nThe `jsexprToSQL()` function in Saltcorn converts JavaScript expressions to SQL for use in database constraints. The `Literal` handler wraps string values in single quotes without escaping embedded single quotes, allowing SQL injection when creating Formula-type table constraints.\n\n\n## Vulnerable Component\n\n**File:** `packages/saltcorn-data/models/expression.ts`, lines 117-118\n\n```typescript\nLiteral({ value }: { value: ExtendedNode }) {\n if (typeof value == \"string\") return `'${value}'`; // NO ESCAPING!\n return `${value}`;\n},\n```\n\n**Call chain:** Formula constraint creation → `table_constraints.ts:127` → `jsexprToSQL()` → `Literal()` → `db.query()` executes unsanitized SQL.\n\n## Proof of Concept\n\n### Injection via Formula Constraint\n\nWhen an admin creates a Formula-type table constraint with the expression:\n\n```javascript\nname === \"test' OR '1'='1\"\n```\n\nThe `jsexprToSQL()` function generates:\n\n```sql\n(name)=('test' OR '1'='1')\n```\n\nThis is then executed as:\n\n```sql\nALTER TABLE \"tablename\" ADD CONSTRAINT \"tablename_fml_1\" CHECK ((name)=('test' OR '1'='1'));\n```\n\nThe single quote in the string literal is not escaped, breaking out of the SQL string context.\n\n### More Dangerous Payload\n\n```javascript\nname === \"'; DROP TABLE users; --\"\n```\n\nGenerates:\n\n```sql\n(name)=(''; DROP TABLE users; --')\n```\n\n### Verified on Saltcorn v1.5.0 (Docker)\n\nDirect invocation of `jsexprToSQL()` inside the running container confirms the vulnerability:\n\n```\nInput: name === \"hello\"\nOutput: (name)=('hello') ← Normal\n\nInput: name === \"test' OR '1'='1\"\nOutput: (name)=('test' OR '1'='1') ← Single quote NOT escaped, OR injected\n\nInput: name === \"'; DROP TABLE users; --\"\nOutput: (name)=(''; DROP TABLE users; --') ← DROP TABLE injected\n```\n\nThe test was performed on a completely fresh Saltcorn installation (zero user-created tables, default Docker setup).\n\n### PoC Screenshot\n\n1. Create a table after moving to the table menu\n\n<img width=\"1194\" height=\"559\" alt=\"SCR-20260307-edqn\" src=\"https://github.com/user-attachments/assets/a2d11102-f49b-4b2b-88ff-fced37476b6f\" />\n\n\n2. Go to the table and then to `Constraits`\n\n<img width=\"1180\" height=\"600\" alt=\"SCR-20260307-edsg\" src=\"https://github.com/user-attachments/assets/b55ddace-01be-4a53-8f62-cbec98172cd7\" />\n\n3. Go to `Formula`\n\n<img width=\"1130\" height=\"518\" alt=\"SCR-20260307-edud\" src=\"https://github.com/user-attachments/assets/8a5addc6-e681-401b-91ea-bce3b0eece54\" />\n\n4. Create a test table for verification\n\n<img width=\"857\" height=\"294\" alt=\"SCR-20260307-eetw\" src=\"https://github.com/user-attachments/assets/debc8581-8145-44cb-a684-2bc3eb7adbcf\" />\n\n5. Input the payload and save\n\n<img width=\"763\" height=\"383\" alt=\"SCR-20260307-ehcz\" src=\"https://github.com/user-attachments/assets/f7a3aa34-7b0b-48ea-b1df-f852f137c37f\" />\n\n6. Check the table for testing\n\n<img width=\"549\" height=\"256\" alt=\"SCR-20260307-ehuh\" src=\"https://github.com/user-attachments/assets/8f6da842-0275-4729-93bf-96575f3fe963\" />\n\n\n\n## Impact\n\n- Arbitrary SQL execution via crafted CHECK constraints\n- Data exfiltration through error-based or time-based SQL injection\n- Database schema manipulation (DROP TABLE, ALTER TABLE)\n- Potential privilege escalation via direct `users` table modification\n\n## Suggested Remediation\n\nEscape single quotes in the `Literal` handler:\n\n```typescript\nLiteral({ value }: { value: ExtendedNode }) {\n if (typeof value == \"string\") return `'${value.replace(/'/g, \"''\")}'`;\n return `${value}`;\n},\n```\n\nAlternatively, use parameterized queries for constraint creation instead of string interpolation.", "references": [ { "reference_url": "https://github.com/saltcorn/saltcorn", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/saltcorn/saltcorn" }, { "reference_url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-59xv-588h-2vmm", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-59xv-588h-2vmm" }, { "reference_url": "https://github.com/advisories/GHSA-59xv-588h-2vmm", "reference_id": "GHSA-59xv-588h-2vmm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-59xv-588h-2vmm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111065?format=api", "purl": "pkg:npm/%40saltcorn/data@1.4.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.4.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/111066?format=api", "purl": "pkg:npm/%40saltcorn/data@1.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/111067?format=api", "purl": "pkg:npm/%40saltcorn/data@1.6.0-beta.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.6.0-beta.4" } ], "aliases": [ "GHSA-59xv-588h-2vmm" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pfz1-y9nf-7fd7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89212?format=api", "vulnerability_id": "VCID-xqes-aykm-17d8", "summary": "@saltcorn/data: Tenant user role is used for tenant creation role check\n## Summary\n\nWhen a tenant admin is logged out of the root domain (e.g., saltcorn.com) but logged in to their own tenant space as admin, they can simply append `/tenant/create` to their tenant URL. The system reads the role from the tenant context (admin), and a new tenant is created on the **root domain** (in `PUBLIC SCHEMA > _sc_tenants`), rather than in the tenant's own `_sc_tenants` table.\n\nIf the same logic applies to other routes, a tenant admin effectively gains admin rights on the root domain.\n\n## PoC\n\nA tenant-created subtenant appears under the Saltcorn public schema instead of the tenant's own schema.\n\n- Even when `role_id=1` is required for tenant creation on saltcorn.com (only admin can create tenants), existing tenant admins can still create new tenants because their local `role_id:1` is evaluated against the root domain.\n- Even when `role_to_create_tenant` is set to `0` in the tenant's `_sc_config` schema, or removed entirely, the tenant admin can still create sub-tenants on the root domain — suggesting `role_to_create_tenant` is not being read at all.\n\n## Impact\n\nTenant admins gain unauthorized admin-level access to the root domain. Any authenticated tenant admin can perform privileged operations (e.g., creating tenants) on the root domain by exploiting the role context mismatch.", "references": [ { "reference_url": "https://github.com/saltcorn/saltcorn", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/saltcorn/saltcorn" }, { "reference_url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-9237-rg5p-rhfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-9237-rg5p-rhfw" }, { "reference_url": "https://github.com/advisories/GHSA-9237-rg5p-rhfw", "reference_id": "GHSA-9237-rg5p-rhfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9237-rg5p-rhfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110257?format=api", "purl": "pkg:npm/%40saltcorn/data@1.4.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pfz1-y9nf-7fd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.4.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/110259?format=api", "purl": "pkg:npm/%40saltcorn/data@1.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pfz1-y9nf-7fd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/110260?format=api", "purl": "pkg:npm/%40saltcorn/data@1.6.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pfz1-y9nf-7fd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@1.6.0-beta.2" } ], "aliases": [ "GHSA-9237-rg5p-rhfw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xqes-aykm-17d8" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540saltcorn/data@0.7.1-beta.1" }